Coherent Eavesdropping Attacks in Quantum Cryptography: 
Nonequivalence of Quantum and Classical Key Distillation 
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The security of a cryptographic key that is generated by communication through a noisy quantum 
channel relies on the ability to distill a shorter secure key sequence from a longer insecure one. We 
show that — for protocols that use quantum channels of any dimension and completely characterize 
them by state tomography — the noise threshold for classical advantage distillation is substantially 
lower than the threshold for quantum entanglement distillation because the eavesdropper can per- 
form powerful coherent attacks. The earlier claims that the two noise thresholds are identical, which 
were based on analyzing incoherent attacks only, are therefore invalid. 
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Unavoidably, all practical implementations of proto- 
cols for quantum cryptography suffer from noise in the 
quantum channel and must, therefore, face the problem 
of generating a secure cryptographic key from noisy raw 
data. Since the noise can wholly result from eavesdrop- 
ping attacks, the central question is: Where is the noise 
threshold below which the communicating parties, Alice 
and Bob, can generate a secure key at all? 

Except at rather low noise levels, the extraction of a 
shorter secure key sequence from a longer, noisy and in- 
secure, raw key sequence must involve a distillation pro- 
cedure, either a variant of "quantum entanglement distil- 
lation" (QED 0) or of "classical advantage distillation" 
(CAD 2]). A recent paper asserts that, for an important 
class of protocols, "the thresholds for QED and CAD are 
the same" so that "the two distillation procedures are 
equivalent in the sense that neither offers a security ad- 
vantage over the other" ,and the same conclusion has 
also been reached in Ref. and earlier in Ref. [5| for 
qubit protocols. 

But the analysis in Refs. takes only incoherent 

attacks into account, in which eavesdropper Eve acquires 
as much information as possible about each individual en- 
try in the raw key data shared by Alice and Bob. This 
raw key is, however, of secondary interest to Eve, who 
primarily wishes to know well the final, distilled key. Ac- 
cordingly, she might be better off by satisfying her pri- 
mary interest directly, rather than first maximizing her 
transitory knowledge of secondary interest. 

Indeed, we report here that Eve can gain more knowl- 
edge about the final key sequence by a suitable coherent 
attack, if Alice and Bob make use of CAD. The actual 
noise threshold for CAD is therefore lower than the one 
found in Refs. [HQ And since the threshold for QED 
is independent of Eve's eavesdropping strategy, it follows 
that the two distillation procedures are not equivalent: 
The noise level in a quantum channel can be above the 
CAD threshold but below the QED threshold. 

In this context, then, coherent eavesdropping attacks 



truly outperform incoherent attacks. As plausible as this 
may seem in hindsight, it is not at all obvious. In fact, 
when neither QED nor CAD are performed, it has been 
argued that coherent attacks cannot be more powerful 
than incoherent attacks Q. 

We reconsider the tomographic protocol for quantum 
cryptography of Refs. Q and 0|. A source distributes 
pairs of qunits (n-dimensional quantum objects, n > 2) 
to Alice and Bob, and they measure nondegenerate ob- 
servables that are randomly chosen from a tomographi- 
cally complete set of n+1 observables. Both keep a record 
of the observable they have measured for each pair and of 
the measurement result. As in Refs. 0, we denote by 
|mfe) the kth eigenket of Alice's mth observable and by 
\rrik) the fcth eigenket of Bob's mth observable. The cor- 
respondence between the orthonormal bases associated 
with the observables is established by requiring that 



(0j\m k ) = (mk\0j) 



(1) 



holds for j, k — 0, 1, 2, . . . , n — 1 and m — 0, 1, 2, . . . , n. 
We are thus pairing Alice's mth observable with Bob's 
mth observable. 

This pairing is essential in defining the two-qunit state 
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that Alice and Bob wish to receive from an ideal source. 
The two-qunit kets \mkTh~k) refer to the mth pair of ob- 
servables but, as a consequence of Eq. QJ, is the same 
regardless of the m value chosen in J2J. 

When the transmission is over, Alice and Bob publicly 
announce their choice of observables, their respective m 
values, for all qunits, while keeping the measurement re- 
sults, their nit values, secret. The qunit pairs constitute 
two groups, one in which the measurement bases match 
(both m values are the same, which happens with prob- 
ability l/(n + 1)), and the other in which the bases do 
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not match. In the absence of noise, the nit values of the 
first group are perfectly correlated and thus give rise to 
a cryptographic key in an alphabet with n letters. 

In reality, however, Alice and Bob must take into ac- 
count Eve's attempts at eavesdropping and the resulting 
disturbance of the quantum channel. As a consequence, 
the source effectively emits qunit pairs whose proper- 
ties are described by a statistical operator p that differs 
from the ideal projector Since Alice and Bob 

measure tomographically complete sets of observables on 
their respective qunits, they can determine the actual p 
from their measurement results. They exploit all data of 
the mismatched bases for this purpose, and some of the 
matched-bases data. Ideally, they wish for p = \^p){i^\ 
but, realistically, they expect to find a p of the form 



P = |V)(/3 - /3i)(V| + — = |V>>(1 - 8)(1>\ + 



£ 



(3) 



with o + (n- l)/3i = 1 and £ = 1 - (0 O - 0x) = n0x. 
This is what one gets when an imperfect transmission 
line admixes unbiased noise to \i/)/\ip \, the fraction of the 
admixture being quantified by the noise parameter £ Q . 
The nonnegative parameters 0q and (3\ have the following 
physical significance: 0q is the probability that Alice and 
Bob get the same nit value when the bases match, and 
0x is the probability that Bob gets a particular one of the 
n — 1 values that are different from Alice's nit value. 

The relevant range of parameters is such that < 0x < 
00 < 1 or < £ < 1 as only then the state p has the 
interpretation of an admixture of noise to the pure state 
The limiting values mark the extreme situations of 
"no noise at all" (0o = 1, 0x = 0, £ = 0) and "nothing 
but noise" (0 O = fix = l/n, £ = 1). 

Sources that emit two-qunit states p of a kind different 
from the one in Eq. @ are not regarded as trustworthy 
by Alice and Bob. As the crucial, defining step of the to- 
mographic protocol, they accept the source only if their 
state tomography confirms that the source emits statis- 
tically independent qunit pairs with a p of the form J2J). 
Otherwise, they switch to another source 

We grant Eve full control over the two-qunit source. 
Then, in order to acquire as much information about the 
key as possible, she entangles one ancilla each with the 
qunit pairs sent to Alice and Bob. Since they must re- 
ceive the pairs in the state Q, Eve's choices are severely 
limited. She is bound to prepare entangled two-qunit 
ancilla states with a ket of the form [7j 

fe=0 



(4) 



where the ) are normalized ancilla kets. The sets 

of ancilla states pertaining to different values of m are 



unitarily equivalent. For a given m value, the ancilla 
states \E^) with k ^ I are orthogonal to each other 
and orthogonal to the ones with k = I. The latter are 
not orthogonal among themselves (except when (3q — 0x , 
the case of pure noise and of very little interest), but 
rather have the same inner products for all pairs, i.e., 



/ P H I P M\ _ -, _ A _ 1 ~ £ 
™ 1 " ; 0o ~ 1 - (1 - 1 



/n)£ 



X 



(5) 



for k^l. 

Alice and Bob can generate a secure key if the corre- 
lations between their nit values (i.e. their measurement 
results for matched bases) are stronger than the corre- 
lations between, say, Alice's values and the values that 
Eve obtains by whatever measurements on the respec- 
tive ancillas. In technical terms, the mutual information 
between Alice and Bob must be larger than the mutual 
information between Alice and Eve ^(J- The efficiency 
of the protocol is proportional to the difference between 
the two mutual information values. 

If £ is sufficiently small, this condition is already met 
for the raw key sequence (see Ref. 0] for the actual 
criterion) , and then the generation of the secure key is a 
matter of applied coding theory. Alice and Bob know if 
this is the case because they have determined the actual 
value of £ by the two-qunit-state tomography. 

If £ is found to be not "sufficiently small," then the 
raw data is too noisy and Alice and Bob must use a dis- 
tillation procedure to improve the situation, either QED 
or CAD; see Refs. and 0, respectively. When employ- 
ing QED, Alice and Bob process the qunit pairs before 
measuring the observables that give the nit values and so 
form, in essence, a purified set of qunit pairs with a new 
£ value that is small enough. As established in Ref. Q], 
QED can be performed successfully if 0q > 20x and only 
then. In terms of the noise parameter £ this means 



£ <£, 



(QED) 
th 



(G) 



which thus identifies the noise threshold for QED. The 
two-qunit state of © is separable if £ > E , so that 
QED exhausts the full range of £ values for which cryp- 
tographic security is potentially possible, and no other 
procedure can ever have a larger £ range. 

Whereas the qunits are manipulated in QED, one pro- 
cesses the measured nit values when performing CAD. 
Therefore, the implementation of QED is a very challeng- 
ing hardware problem whereas rather simple software is 
needed for CAD. This practical advantage of CAD over 
QED comes, however, at a price. As we now proceed to 
demonstrate, the noise threshold for CAD is lower than 
the QED threshold of Eq. ©. 

In the CAD protocol Alice and Bob divide their raw 
key sequence of nit values (for the matched bases) into 
blocks of length L. For each block Alice tosses an n-sided 
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die and adds, modulo n, the resulting random value to 
each value of the block. She so obtains a new block, which 
she sends to Bob through an authenticated but insecure 
public channel. After receiving the block, he subtracts 
his corresponding block from it (modulo n). If all the nit 
values are the same after the subtraction, which happens 
with probability /3q + (n — l)/3f , Bob informs Alice that 
this is a good block, otherwise it is a bad block 

All good blocks together define a distilled sequence of 
nit values, one value for each block: Alice records the ran- 
dom nit values she added, Bob the nit values he found 
after the subtraction. The distilled sequence can be char- 
acterized by probabilities (3^ (Bob has the same value 
as Alice) and p[ L ' (he has a particular one of the n — 1 
other values) that are the L > 1 analogs of their L = 1 
versions in Eq. J2J and related to them by 

8 {L) 

f l ! " 1 (7) 



Pi 

^ u 



Accordingly, with growing L, the distilled sequence has 
exponentially less noise than the raw sequence. 

After performing CAD, the resulting mutual informa- 
tion between Alice and Bob is given by 



I L {ALB) = 1 + /3< L) log„ 0f> + (1 - PD log„ pr (8) 



(L) 



with 



(L) o(L)\ _ 



ft + (n - 1)0£ 



(9) 



where, for convenience, we measure information in nits 
(log n ) rather than bits (log 2 ). The asymptotic forms 



p { l) ~ i - (n - i)(Pi/p y , 0t } =s (Pi/p y , 

I L (AkB) ~ 1 - ( n - l)(/3 1 //3 ) L log„(/3o//?i) L (10) 

apply for L ^> 1, so that the difference 1 — Il{ASzB) 
decreases exponentially with increasing block length L. 

Eve's strategy is as follows. She stores her ancillas and 
waits passively until Bob announces his approval or rejec- 
tion of the given block to Alice over the public channel. 
The ancillas of the bad blocks are then of no further in- 
terest. For each good block Eve knows that either (I) all 
corresponding nit values in Alice's and Bob's blocks are 
the same, or (II) they differ by the same amount (mod- 
ulo n). There is no room for any other possibility in the 
CAD protocol. For instance, Alice could have the block 
0121 for L = 4 and n = 3, and then there are three 
possible blocks for Bob, namely 0121, 1202, or 2010, re- 
sulting from Alice's addition of 0, 1, or 2, respectively. 
The fraction pi L ' of the good blocks are case-I blocks, 



the fraction (n — l)p[ L ' = 1 — 0Q 1 ' are case-II blocks. 

For each good block, Eve has a corresponding set of 
ancilla states. Rather than measuring the ancillas one- 
by-one (incoherent attack), she performs a joint measure- 
ment on all L of them (coherent attack) to acquire knowl- 
edge about the value that, say, Alice assigns to the block. 



In case (II), Eve knows exactly Alice's and Bob's nit val- 
ues because all the respective ancilla states j-E^™' 1 ) have 
k 7^ I and are thus orthogonal to all other potential ones 
(recall the remark after Eq. (0J) and can be distinguished 
unambiguously. 

In case (I), Alice and Bob have an identical block of 
nit values to begin with, and Eve's ancillas states are all 
of the k = I kind. Although she can establish easily that 
the blocks are of case (I), she cannot distinguish the po- 
tential ancilla states unambiguously because they are not 
orthogonal to each other. Accordingly, Eve has no cer- 
tain knowledge of the distilled nit values for case-I blocks. 
But by making good use of the classical information that 
is exchanged publicly between Alice and Bob during the 
distillation process, Eve can learn a lot about these nit 
values. In fact, she only needs to distinguish n possible 
L-ancillas states, and they are almost orthogonal to each 
other when L ^> 1. 

The situation is best illustrated with an example. Sup- 
pose and Alice and Bob have the same block 0121 for 
n = 3 and L = 4, and her random nit value is 1. After 
addition (modulo 3), she sends the processed block 1202 
to Bob via a public channel. Eve, who is fully knowledge- 
able of all such broadcast information and has already es- 
tablished that she is dealing with a case-I block, then in- 
fers that the unprocessed block is either 1202, or 0121, or 
2010, and the distilled values would be 0, 1, and 2, respec- 
tively. She concludes that the four ancillas in question 
are in the four-ancilla state with ket \EnE22E0QE22) , or 
\E00EnE22En), or \E22E QO EnEoo), where the E^'s 
at the same positions have identical m values that we 
leave implicit. Any two of these four-ancilla states have 
the same inner product of A 4 , inasmuch as 

(E11E22E00E22 1 E00E11E22E11 ) 

= (^ll|^Oo)(^22|^ll)(S o|£ , 22)(-E'22|-Ell) = A 4 , 

for instance. More generally, for each case-I block of 
length L, Eve needs to distinguish n possible L-ancilla 
states, with inner products of X L for each pair of states. 

For large L, this inner product is very small and, there- 
fore |ll| , Eve maximizes her mutual information with Al- 
ice (or Bob) by the so-called "square-root measurement" , 
which is always the error-minimizing measurement. Her 
probability of inferring a distilled case-I nit value cor- 
rectly is then given by |?J 



and she gets a particular one of the n — 1 wrong values 
with probability 



m 



(L) _ 1 - y ( L) _ ( y/l + (n-l)A^- VT~A^' 



n- 1 



(12) 
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The resulting mutual information between Alice and Eve 
is 



(L) 



+ (l- ?7 < ) L) )log„# ) ) 



(13) 



The asymptotic forms 



(L) 



l-\(n-l)X 2L 



m 



1 \2L 

4 A 



I L (A&E) ~ 1- ~(n- l)A 2i log„(l/A) 2L 



(14) 



apply for L ^ 1, so that the difference 1 — Il{A&zE) also 
decreases exponentially with increasing block length L. 

Now, according to the Csiszar-Korner Theorem [Io|. 
a secure cryptographic key can be generated from the 
raw key sequence, by means of a suitably chosen error- 
correcting code and classical (one-way) communication 
between Alice and Bob, if the mutual information be- 
tween Alice and Bob exceeds that between Eve and ei- 
ther of them. This ensures success of the CAD procedure 
whenever I L (AkB) > I L (AkE) obtains. 

Upon comparing the large- L versions of the mutual 
informations in (|10J) and (|14|) . we note that, for suffi- 
ciently long blocks, successful CAD is assuredly possible 
if (3i/(3q < A 2 . Since A + fii/flo = 1, the corresponding 
criterion for the noise level is 



£ <£ 



(CAD) _ 
th ~~ 



+ (1 + v/5)/2 



(15) 



The CAD threshold value thus identified is always lower 
than the QED threshold value of Eq. 10, because the 
golden mean (1 + \/5)/2 exceeds unity. 

Figure ^ shows the two noise thresholds as a func- 
tion of n, for 2 < n < 30. It can be seen clearly 
that QED can tolerate substantially more noise in the 
channel than CAD, in particular in the qubit case of 
n = 2, where the thresholds are at £ = 2/3 = 66.7% and 
£ = 1 — \f\fh = 55.3%, respectively. 

In summary, we have established that Eve has a real 
advantage from coherent attacks if Alice and Bob per- 
form CAD. The coherent attack that we describe in detail 
aims at getting optimal knowledge about each nit value 
of the distilled key individually. It is conceivable (but 
we do not consider it likely) that more involved coherent 
attacks, which would provide knowledge about groups of 
distilled-key nit values, are even more powerful. Strictly 
speaking, the threshold stated in Eq. 115|) must, there- 
fore, be regarded as an upper bound on the noise thresh- 
old for CAD. 

We note further that other procedures for advantage 
distillation are also vulnerable to coherent attacks of the 
considered kind. This is true, in particular, for the parity- 
check distillation for qubit protocols, for which an anal- 
ogous coherent attack can be analyzed easily 4.2] . 
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FIG. 1: Noise thresholds £th for Quantum Entanglement 
Distillation (QED, full circles) and Classical Advantage Dis- 
tillation (CAD, empty circles) under coherent eavesdropping 
attacks, as a function of the dimension n of the transmitted 
quantum objects. QED can tolerate substantially more noise 
in the channel. 
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